If we all agreed that free apps (and services) come at a real cost either in data or subversive practices. Then started paying money for apps that provide value. Do we think this sort of stuff would stop?
There's no reason why free (as in either libre or beer) software has to incur privacy or subversive-practice costs -- see Linux or PostgreSQL, for example.
The issue is that the ad network economy, as currently structured, allows inflicting these costs against consumers -- who couldn't possibly keep track of them all even when technologically well-educated because there are so many apps, SDKs, advertisers and publishers -- while incentivizing application authors to take part with the assumption that they are safe in the crowd.
Rather than pay $5 for an app and hope that it won't misbehave now and/or in future, it generally seems preferable to use a competing free and open source application backed by a community that can inspect and modify it to add features and fix any discovered problems. When such software doesn't exist, it can be developed given enough demand and interest.
No, of course not. The best example is the hugely expensive big TV screen that still comes with all of this, and there isn't even any particular service it offers.
Whenever you can make more money by packaging junk, somebody will do that.
Most people always go for the cheapest option no matter how junky it is, and no matter how much an improvement paying a but extra would make (exhibit A: airplane tickets for tourists).
It seems like the only working method to get rid of the junk is to outlaw it.
The question posed by the OP is systematic: people are willing to 'not pay' for things because the 'short term benefit' is 'less cost' while the longer term risk, ie 'hackerware' is more vaugue.
A lot of things in life are like this.
Back in the day, the fire Dept. were private, they didn't come unless you were paying them insurance.
Given the common nature of 'fire' - and especially that it 'spreads to other homes' ... it makes too much sense for everyone to have it, and so we socialised it. We all pay for fire insurance via our homes.
The argument being, is that if people paid for apps, devs wouldn't have to resort to as much trickery, and there would be less use of malware. Though it's not so clear.
Given the excessive cost of iPhones and the significant rake on apps (~30%), Apple should cover this problem. They mostly do, but obviously not entirely.
I wonder if there should be a 3rd party lib repo where the code has to be open sourced, and 'someone' has to pay for a review of some kind. And you have to stick to such repos if you want a certain kind of certification.
It's an interesting problem in 2020, and looking back, it's almost amazing that in 1999 the web was so amazingly relatively safe, and that there wasn't so much existential angst over security. How naive we were!
Absolutely! Every minute spent on fine-tuning an ad SDK is a minute not spent on making the app better for paying customers. Most of these SDKs are not just drag and drop, either; developers have to spend a lot of time configuring the attribution schemes and to update them periodically.
There's a huge international market of potential app users that tolerate ads but would never pay to purchase an app. Even in affluent areas, many people balk at a $0.99 app but are totally fine with ads. This, of course, is the entire business model of Facebook, Instagram, etc.
The billion dollar question is: how do you monetize non-paying users, at scale, without ads?
I do think there's a problem where companies add ad network SDKs (or, on the web, ad tags) without considering the privacy or security risks, and instead think only "more ad networks will make us more money".
On the other hand, the two main options to this are (a) people only install SDKs/tags from ad networks with strong reputations or (b) a system like AMP, where ad networks can choose between running in a sandbox (xdomain iframe) and submitting their code as an open source extension for review. Option (a) has the major downside of helping existing players and players with non-ads businesses that strengthen their reputation (like my employer). Option (b) is better, but still hard to do well.
(Disclosure: I work for Google, on ads. Speaking only for myself.)
I think a big problem here is the lack of liability.
If you are making a hardware device, decide to include a dodgy module from AliExpress and then the device starts catching fire and burning your customer's homes you will at least be subject to a lawsuit, so you won't even consider doing this.
This should be the same when it comes to third-party binaries and SDKs. Even if you respect the law (when it comes to privacy, GDPR, consumer rights, etc), you also need to do your due diligence and make sure any third-party code you embed also does respect it otherwise you should be subject to lawsuits.
The result would be that a lot of dodgy ad networks would go away (because no respectable app developer would do business with them), ad networks themselves would be more selective in what kind of ads they run (ad prices will go up to compensate for the cost of vetting them), and overall I think it'll be a win for everyone; customers are not only safer but also see higher quality ads because the "bottom of the barrel" stuff has been pushed out of the market.
Malicious code benefits from nobody being able to see your code whether it's paid or free. If your app, build process, etc is publicly visible on Github/GitLab/BitBucket/etc malicious code can't hide.
The issue is that the ad network economy, as currently structured, allows inflicting these costs against consumers -- who couldn't possibly keep track of them all even when technologically well-educated because there are so many apps, SDKs, advertisers and publishers -- while incentivizing application authors to take part with the assumption that they are safe in the crowd.
Rather than pay $5 for an app and hope that it won't misbehave now and/or in future, it generally seems preferable to use a competing free and open source application backed by a community that can inspect and modify it to add features and fix any discovered problems. When such software doesn't exist, it can be developed given enough demand and interest.